From owner-freebsd-current@FreeBSD.ORG Tue Apr 5 23:48:45 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAFAA16A4CE; Tue, 5 Apr 2005 23:48:45 +0000 (GMT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id 922FE43D54; Tue, 5 Apr 2005 23:48:45 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin07-en2 [10.13.10.152]) id j35NmjAn026255; Tue, 5 Apr 2005 16:48:45 -0700 (PDT) Received: from [10.1.1.245] (nfw2.codefab.com [199.103.21.225] (may be forged)) (authenticated bits=0)j35Nmhgw028894; Tue, 5 Apr 2005 16:48:44 -0700 (PDT) In-Reply-To: <20050405235414.D81173@fledge.watson.org> References: <2871.1112734748@critter.freebsd.dk> <20050405235414.D81173@fledge.watson.org> Mime-Version: 1.0 (Apple Message framework v619.2) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <15973a90882a11f47ec79f954a57a22e@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Tue, 5 Apr 2005 19:48:42 -0400 To: Robert Watson X-Mailer: Apple Mail (2.619.2) cc: Poul-Henning Kamp cc: current@FreeBSD.org Subject: Re: Panic on mount with write-locked USB media (umass) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 23:48:45 -0000 On Apr 5, 2005, at 6:55 PM, Robert Watson wrote: >> There are two ways that a filesystem correctly could handle a R/O >> media: >> >> 1. Fail with EROFS unless asked [to be?] mounted read-only >> >> 2. Silently downgrade the mount to read-only. >> >> I personally prefer the first because that way a script does not have >> to check if it got the mount it wanted or not. > > In general, I agree, but this will de-POLA the following command: > > mount -t cd9660 /dev/acd0 /cdrom > > I wonder if a useful middle ground is to adopt (1) above except in the > case of perenially read-only file systems (cd9660), in which case (2) > is adopted? If a process tries to mount a read-only media read/write, the attempt should fail with EROFS. However, what would happen if the mount command (or mount command family) opened filesystems read-only by default, unless otherwise specified? /etc/fstab contains "rw", so people trying to mount / and any other filesystems seen there would retain the previous behavior, regardless. Perhaps the system could try to upgrade a mount from read-only to read-write if and when a process wants to write to that filesystem-- IFF read-write access is possible and permitted, AND the mount was not explicitly mounted read-only. I won't claim this change helps POLA, although there do seem to be some cases where it might (ie, the example above), however, it follows the "principle of least privilege".... -- -Chuck